CISA_WK_4.pptx

CISA – Certified Information Systems Auditor

Information System Operations and Business Resilience
IT Assets management
• IT assets include people, information, infrastructure, and reputation.
• The first step in IT asset management is to identify and create an inventory of IT assets.
• The inventory of an IT asset should include details such as the following:
• Owner
• Custodian
• Asset identification
• Location
• Security Classification
• IT asset management includes both hardware and software.
• The IT department should have a list of approved software that can be installed and used. The installation of unapproved
software is a serious violation that carries major legal, financial, and security risks.
• The synchronization of production source code and objects can be best controlled by date-and-time stamping source and
object code. Date-and-time stamping helps here to ensure that both the source and the object code are in sync.
• Job scheduling
• A job schedule is a program that is used to run various processes automatically.
• Apart from scheduling batch jobs, it is also used to automate tape backups and other maintenance.
• An IS auditor should consider the following aspects while reviewing the job scheduling process.
• Whether procedures for collecting and reporting key performance indicators are defined and implemented
• Whether the priority of each job has been identified and scheduled correctly
• Whether an audit trail is captured for each job Whether job completion status is monitored and appropriate action is
taken on failed jobs
• Whether approval roles are defined for scheduling, changing, or prioritizing jobs

• End user computing
• refers to a system wherein a non-programmer can create their own application.
• From a user perspective, end user computing is a quick way to build and deploy applications without relying on an IT
department. These applications are generally flexible and have the ability to quickly address any new requirements or
modifications.
• The following are some of the inherent risks of end computing:
• Applications, so developed, may not be subject to various tests and therefore carry a risk to information security in terms
of data integrity, confidentiality, and availability.
• Users may not adhere to change management and release management procedures.
• System controls in terms of authorization, authentication, audit trails and logs, encryption, and non-repudiation may not
be given due importance.
• An appropriate redundancy and backup arrangement may not be addressed for business continuity.
• To address the preceding risks, a documented policy of End User Computing (EUC) should be available.
• Also, the auditor should ensure that an inventory of all such applications exist and that sensitive and critical applications are
subject to the appropriate controls.

• System performance management
• Nucleus (kernel) functions
• The nucleus is responsible for basic processes associated with the operating system.
• It manages process creation, interrupt handling support for input and output process, allocation, the release of
memory, and so on.
• The nucleus is a highly sensitive area where access is restricted to only authorized users. Above the nucleus are
other operating system processes to support users. These are known as system software.
• Utility programs
• Utility programs help to manage and control computer resources.
• These programs support the operating system. Examples include disk tools, backup software, and data
dictionaries.
• Registry
• System settings and parameters are set in configuration files known as a registry.
• Control of the registry is an important aspect of IS auditing.
• Protecting the registry is important for ensuring the integrity, confidentiality, and availability of systems.
• Activity logging
• It is very important to log activities for future analysis.
• Also, these logs should be appropriately protected as an intruder may attempt to alter logs to hide their activities.
• The best way to protect logs is to capture them in a centralized secure server using security information and event
management (SIEM) software.

• Software licensing issues
• An IS auditor should ensure that software copyright laws are followed by the organization.
• Any violation may lead to regulatory consequences, reputational loss, and financial loss by way of penalties.
• Even if an organization is using open source software, it is bound to abide by the terms and conditions of it usage.
• The best way to determine the use of unauthorized software is to scan the entire network using automated tools and
capture a list of installed software. Then, review that list by comparing it with the approved software list.
• Problem and Incident management
• The objective of problem management is to prevent the recurrence of an incident by identifying the root cause of the
incident and taking appropriate preventive action.
• The elements of problem management are investigation, in-depth analysis, root cause analysis, and addressing the
issues identified during the root cause analysis.
• Some widely accepted methodologies include fishbone analysis, Ishikawa cause and effect diagrams, 5 whys, and
brainstorming.
• The objective of problem management is reducing the number of incidents, whereas the objective of incident
management is achieving a return to a normal state as quickly as possible after an incident and thus minimizing the
business impact.
• Network management tools:
• Response time reports: To determine the response time taken by host system to address the query of the user.
• Downtime reports :To determine and track the unavailability of telecommunication lines and circuits.
• Help desk reports: To determine help desk activities like nature of queries, no. of open calls, turnaround time, problems
and their resolution. Online monitors: To determine data transmission error and accuracy.
• Network monitor: To provide real time information and network nodes and status.
• Network protocol analyzers: They are network diagnostic tool to determine and monitor packets flowing along the link.
They produce network usage reports.
• Simple Network Management Protocol (SNMP): A TCP/IP based protocol to monitor, control and manage configuration.
It collects statistics on performance and security.

Change management, configuration management and patch management
Change management
• A change management process is used to change hardware, install software, and configure various network devices.
• A change management process includes approval, testing, scheduling, and rollback arrangements.
• change management process ensures that any modification to or updating of the system is carried out in a controlled
manner.
• Any changes to a system or process are likely to introduce new vulnerabilities and hence it is very important for the security
manager to identify and address new risks.
• For effective change management, it is important that the security team should be apprised of every major change. This will
ensure that security aspects are considered for any change.
• Change management is considered to be a preventive control as it requires all change requests to pass through formal
approval, documentation, and testing by a supervisory process.
• One of the most important aspects of change management control is code signing. Code signing provides assurance that
software has been generated from a reputable source and that the code has not been modified after having been signed. The
process employs the use of a hash function to determine the integrity and authenticity of code.
• Configuration management
• Configuration management determines a base software release.
• The baseline is used to identify the software and hardware components that make specific versions of a system.
• In the case of the failure of a new release, the baseline will be considered as a point to which to return.

Patch management
• Patch management is the process of updating operating systems and other software to correct an error or
enhance performance.
• A well-defined and structured patch management process helps to address the new vulnerabilities related
to operating systems.
• Patches are generally applied to operating systems, applications, and network software.
• Patches will help to fix the vulnerability in the system. Patches should be applied through a structured
change management process that includes approval, testing, user acceptance testing, and proper
documentation.
• Testing a patch prior to implementation is one of the most important aspects, as deploying an untested
patch may cause the system to fail. Also, appropriate rollback procedures should be in place in case of
unexpected failure.
• Compliance testing will help to ensure that a change management process is applied consistently and that
changes are appropriately approved.
• The best method to determine the effectiveness of a control process is to first review a sample of
conducted changes and then ask for relevant approvals for these changes.

Information System Operations
and Business Resilience
• Database management system (DBMS)
• A database management system
(DBMS) helps in organizing,
controlling, and managing data.
• It aims to reduce data redundancy
and improve access time.
• It also aims to provide appropriate
security for sensitive data.
• Database models
• Hierarchical:
• records are logically organized
into a hierarchy of
relationships.
• All records in the hierarchy are
called nodes.
• Each node is related to the
others in a parent-child
relationship.
• The top parent record in the
hierarchy is called the root
record.

• Network database model
• each set is made up of an
owner record and one or more
member records.
• Unlike the hierarchical model,
the network model permits a
record to be a member of more
than one set at one time.
• This allows the many-to-one
and many-to-many relationship
types.
• Network databases directly
address the location of a record
on disk. This gives excellent
retrieval performance.

• Relational database model
• In a relational database, all the tables are related through one or more fields.
Through these common fields, it is possible to connect all the tables in a
database.
• For each table, one of the fields is identified as a primary key, which is the
unique identifier for each record in the table.
• The primary key is used to join or combine data from two or more tables.
• Referential integrity refers to the integrity and correctness of data within a
related table.
• The data in primary or master tables should be consistent with the data in
related tables (also known as foreign tables).
• Any changes to the primary key must be applied to associated foreign keys.
• Referential integrity will prevent users from adding records in a foreign table, if
records are not available in the primary table.
• At the same time, users cannot delete primary keys, if related records are
available in the foreign table.
• In the shown table, employee number 1 cannot be deleted as it also exists in
foreign tables. However, employee number 6 can be deleted from the primary
table as they do not exist in any foreign tables.

• Object-oriented database model
• An object-oriented database is a set of objects. Each object is an independently functioning application or program,
assigned a specific task to perform.
• The OODM is designed to manage all these independent programs to quickly process large and complex requests.
• An object-oriented database provides a mechanism to store complex data such as images, audio, and video.
• Database Normalization:
• Normalization is the process of reducing duplicate data and thus reducing data redundancy.
• Redundancy is considered as a negative thing in a database environment as it means more effort and storage being
necessary to handle data.
• Disabling normalization will result in more redundant data, which may impact the consistency and integrity of data.
• When an IS auditor observes that some tables in a database are not normalized, they should review justification and
compensatory control for denormalization.
• Database checks and controls
• Concurrency control: To prevent integrity issues during simultaneous updates by multiple users.
• Table link/table reference check: To identify table linking errors such as incomplete or inaccurate content in a database.
• Integrity constraint: To allow only valid predefined data to enter the database, and to prevent out-of-range data in the
database. It is a preventive control.
• Atomicity: To ensure that either the entire transaction is processed or none of it is processed. This will ensure that
partially executed transactions are rolled back and not processed.
• Referential integrity: This will prevent the deletion of a primary table as long as it has associated foreign keys.

• Commit and rollback controls: This ensures that a transaction is completed in its entirety or not at all. It ensures integrity.
• User spool and database limit control: This helps to control space utilization and thus improve database query performance.
• Restore procedure: In the case of corruption in a database, the database can be restored to its last archived version. This is a
connective control.
• Column- and row-level restrictions: This helps to restrict particular sensitive columns or rows of a database to only a few
authorized users. This means there is no need to have a separate database for such sensitive information.
• Segregation of duties
• An IS auditor should understand the various roles and responsibilities of database administrators (DBAs) to ensure that
an appropriate segregation of duties exists.
• The following are some of the routine activities of a DBA:
• Conducting changes in the database table
• Conducting backup and recovery procedures
• Consulting on database interfaces Using tools and techniques to optimize database performance
• It is very important to ensure that the DBA conducts the preceding activities using their named account (and not a shared
account) to establish accountability.
• Logs should be captured for all database activities. Logs should be restricted for modification and DBAs should not be provided
with access to the log server.
• From the perspective of control, DBAs should not be allowed to perform the following activities:
• Activities related to log capturing and the monitoring of DBA functions
• End user activities
• Security patch updates for the operating system

• Business Resilience
• Business resilience is the mechanism by which prevention and recovery mechanisms are developed to deal with
possible threats to a company.
• It is the ability to adapt quickly to disruptions while maintaining ongoing business operations and safeguarding people,
assets, and brand equity overall.
• Business impact analysis
• The BIA is a process to determine and evaluate the impact of disruption on business processes and so prepare to deal
with such disruptive events.
• A BIA is a process to determine critical processes that have a considerable impact on business processes.
• It determines processes to be recovered as a priority so as to ensure an organization's survival.
• In order to conduct a successful BIA, it is necessary to obtain an understanding of the organization and key business
processes and its dependency on IT and other resources.
• This can be obtained from the outcome of the risk assessment.
• The involvement of senior management, the IT department, and end users is critical in terms of conducting a BIA
successfully.
• The following are some of the approaches when it comes to performing a BIA:
• A questionnaire approach involves developing a detailed set of questions and circulating it to key users.
• The information obtained is then tabulated and analyzed to develop a BIA.
• An interview approach involves interviewing key users. The information obtained is tabulated and analyzed to
develop a BIA.
• A meeting approach involves holding meetings with key users to ascertain the potential business impact of
various disruptions.
• To determine the business impact, two independent cost factors need to be considered. The first one is downtime cost.
Examples of downtime cost include a drop in sales, the cost of idle resources, and interest costs.
• Another cost element relates to alternative collection measures, such as the activation of a BCP and other recovery
costs.

• Data backup and restoration
• An organization should have a documented backup policy in place
that clearly identifies the type of data and information for which
making a backup is mandatory.
• Types of backup strategy
• Backup of the full database
• Differential backup: Backup is taken only of the new data created
since last full backup (last backup to be a full backup only).
• Incremental backup: Backup is taken only of the new data created
since last backup (last backup can be either full backup or
incremental backup).
• In a full backup, the entire database is backed up every time, regardless of
previous backups. However, a full backup consumes a lot of time and
space.
• To avoid this, many organizations resort to either a differential backup or an
incremental backup.
• Capacity Requirements:
• Full backup: Requires more time and storage capacity compared
with the other two schemes
• Differential: Requires less time and storage capacity compared with
a full backup, but more than an incremental backup.
• Incremental: Requires less time and storage capacity compared
with the other two schemes

• System resiliency
• System resilience is the ability of a system to withstand a disaster and to recover within an acceptable timeframe.
• Application resiliency – clustering
• Clustering helps to protect an application against a disaster.
• The aim of clustering is to provide for the high availability of the system.
• A cluster is a software that is installed on every server where the application runs.
• An application that is clustered is protected against a single point of failure.
• Application clusters can be either active-passive or active-active. In an active-passive setup, an application runs only on
one node, while other passive nodes are used only if an application fails on the active node.
• In an active-active cluster setup, the application runs on every cluster.
• An active-active setup, though more expensive than an active-passive setup, provides quick application recovery, load
balancing, and scalability.
• Telecommunication network resiliency
• it is important to arrange for redundant telecommunication and network devices in order to ensure the continuity of
business operations.
• The following are network protection methods:
• Alternative routing: This is a method of routing the information through some alternative cables such as copper
cable or fiber optics cable. Two types:
• Last-mile circuit protection: Last mile circuit protection is used to have redundancy for local communication.
• Long-haul network diversity: It is used to have redundancy for long distance communication.
• Diverse routing: This is a method for routing information through split or duplicate cables.
• In diverse routing, a single cable is split into two parts, whereas in alternative routing, two entirely different cables are
used.

• Business continuity plan
• The objective of a BCP process is to manage and mitigate the risk of disaster so that the continuity of business
operations can be ensured.
• It is very important that the BCP is reviewed and approved by senior management. This will ensure that the BCP is
aligned with the goals of the business.
• Steps of the BCP life cycle
• Project and scope planning
• Risk assessment and analysis
• BIA
• Business continuity strategy development
• BCP development
• Business continuity awareness training
• BCP testing
• BCP monitoring, maintenance, and updating
• The plan should be well documented and written in simple language that should be understandable to all.
• The plan should clearly document the responsibilities and accountability of each individual responsible for specific tasks
in the event of a disaster.
• A BCP should also consider the type and requirement of the backup procedure.
• Generally, for critical and time-sensitive data, shadow file processing is recommended.
• In shadow file processing, exact duplicates of files are maintained, preferably at a remote site.
• Both the files are processed concurrently. Shadow file processing can be implemented as a recovery mechanism for
extremely time-sensitive transaction processing.
• It is important to ensure that the offsite location is not subject to the same risks as the primary site.
• If both the primary site and the offsite location operate from the same place, a disaster may put both of them out of
action, which could have an adverse impact on business continuity.
• It is recommended to review the BCP in terms of its adequacy every time a risk assessment is conducted in order to
ensure that the BCP is aligned with the latest risk assessment of the organization.

• Types of BCP tests
• Checklist Test: Copies of plan distributed to different departments. Functional managers review
• Structured Walk-Through (Tabletop) Test: Representatives from each department go over the plan
• Simulation Test: Going through a disaster scenario. Continues up to the actual relocation to an offsite facility
• Parallel Test: Systems moved to alternate site, and processing takes place there
• Full-Interruption Test: Original site shut down. All of processing moved to offsite facility
• Disaster recovery plan
• A DRP is a set of documented processes to recover and protect a business's IT infrastructure in the event of a disaster.
• It involves various plans for actions to be taken before, during, and after a disaster. A DRP is like insurance; you will
only realize its importance when a disaster occurs.
• BCP vs DRP
• The objective of the BCP is to keep business operations functioning either from an alternate location or by means of
alternative tools and processes.
• The objective of the DRP is to restore normal business operations and to recover from a disaster.
• The BCP is the overall architecture for business continuity, whereas the DRP is regarded as a technological aspect of
the BCP with more focus on IT systems and operations.

BCP Metrics:
Recovery time objective (RTO)
• RTO is the extent of acceptable system downtime. For example, an RTO of 2 hours indicates that an organization will not be
overly impacted if its system is down for up to 2 hours.
Recovery Point Objective (RPO)
• RPO is the extent of acceptable data loss. For example, an RPO of 2 hours indicates that an organization will not be overly
impacted if it loses data for up to 2 hours.
• Example 1: An organization can accept data loss for up to 4 hours. However, it cannot afford to have any downtime.
RTO – 0 hours; RPO – 4 hours.
• Example 2: An organization takes a data backup twice daily; that is, at noon and then at midnight. What is the RPO?
RPO - 12 hours.
• If the RTO and RPO are low (that is, zero or near zero), then systems and data will be critical for the organization.
• The SDO is the level of service and operational capability to be maintained from an alternate site.
Maximum tolerable outage (MTO)
• The MTO is the maximum amount of time that an organization can operate from an alternate site.
Service delivery objective
• The service delivery objective is the level of service and operational capability to be maintained from an alternate site.
• The service delivery objective is directly related to business needs and is the level of service to be attained during disaster
recovery.

• Alternate recovery site
• Mirrored site
• A mirrored site is regarded as an exact replica of the primary site.
• When arranging a mirrored site, the following components are already factored in:
• The availability of space and basic infrastructure
• The availability of all business applications
• The availability of an updated data backup
• A mirrored site can be made available for business operations in the shortest possible timeframe as everything (in
terms of systems and data) is already being considered and made available.
• cost of maintaining a mirrored site is very high compared to the alternatives.
• Hot site
• A hot site is the second-best alternative after a mirrored site.
• The following components are already factored in while arranging a hot site:
• The availability of all business applications
• However, for a hot site to function, it also requires the following components:
• An updated data backup
• Warm site
• The following components are already factored in while arranging a warm site:
• The availability of a few business applications
• However, for a warm site to function, it also requires the following components:
• An arrangement regarding the required IT applications
• An arrangement for the required data

• Cold site
• The following components are already factored in
while arranging a cold site:
• The availability of space and basic
infrastructure
• However, for a cold site to function, it also
requires the following components:
• An arrangement regarding the required IT
applications
• An arrangement for the required data
• Mobile site
• A mobile site is a movable vehicle equipped with
the necessary computer equipment.
• A mobile site can be moved to any warm or cold
site depending upon requirements.
• The scale of business operations will determine
the need for a mobile site.
• Reciprocal agreement
• In a reciprocal agreement, two organizations
having similar capabilities and processing
capacities agree to provide support to one
another in case of an emergency.
• Reciprocal agreements are not regarded as very
reliable.
• A reciprocal agreement is the least expensive as
this relies solely on an arrangement between two
firms.

Protection of Information Assets
• Privacy is the right of the individual to demand the utmost care is taken of their personal
information that has been shared with any organization or individual.
• The following are some of the privacy principles:
• Organizations should obtain appropriate consent before the transfer of personal
information to another jurisdiction.
• Organizations should specify the purposes for which personal information is collected.
• Organizations are required to retain personal information only as long as necessary.
• Organizations should have appropriate security safeguards for protecting personal
information. Organizations should have an appropriate process for reporting compliance
with the privacy policy, standards, and laws.
• Organizations should have an appropriate governance mechanism over the third-party
service provider processing privacy data on behalf of the organization.
• Organizations should comply with applicable data protection regulations for the transfer
of personal information across country borders.

• Physical access and environmental controls
• Physical controls aim to protect information system processing facilities through physical mediums, such as
locks, fences, closed-circuit TV (CCTV), and devices that are installed to physically restrict access to a
facility or hardware.
• Similarly, environmental controls refer to measures taken to protect systems, buildings, and related
supporting infrastructure against threats associated with their physical environment.
• The following are four types of power failure:
• Blackout: Blackout indicates a complete loss of power.
• Brownout: Severely reduced voltage, which may place strain on electronic equipment or may even
lead to permanent damage.
• Sags, Spikes, Surges:
• Sag is a rapid decrease in voltage level. Spikes and surges are rapid increases in voltage level.
• These may result in data corruption in the server or the system.
• Sags, spikes, and surges may be prevented by using properly placed protectors.
• Surge and spike devices help to protect against high-voltage power bursts.
• The most effective control to protect against the short-term reduction in electrical power is a
power line conditioner.

• Physical access and environmental controls
• Physical controls aim to protect information system processing facilities through physical mediums, such as locks, fences,
closed-circuit TV (CCTV), and devices that are installed to physically restrict access to a facility or hardware.
• Similarly, environmental controls refer to measures taken to protect systems, buildings, and related supporting infrastructure
against threats associated with their physical environment.
• The following are four types of power failure:
• Blackout: Blackout indicates a complete loss of power.
• Brownout: Severely reduced voltage, which may place strain on electronic equipment or may even lead to permanent
damage.
• Sags, Spikes, Surges:
• Sag is a rapid decrease in voltage level. Spikes and surges are rapid increases in voltage level.
• These may result in data corruption in the server or the system.
• Sags, spikes, and surges may be prevented by using properly placed protectors.
• Surge and spike devices help to protect against high-voltage power bursts.
• The most effective control to protect against the short-term reduction in electrical power is a power line
conditioner.
• Electromagnetic interference (EMI):
• EMI is generally the result of electrical storms or noisy electrical equipment.
• EMI may result in system corruption or damage.

• Water and Smoke Detectors
• In the computer room, water detectors should be placed under raised floors and near drain holes.
• Smoke detectors should be installed above and below the ceiling tiles throughout the facilities and
below the raised computer room floor.
• The location of the water and smoke detector should be highlighted for easy identification and access.
• Fire suppression system
• Wet-based sprinkler (WBS)
• WBS is considered more effective and reliable than dry pipes as water always remains in the
system piping.
• However, one disadvantage is that it exposes the premises to water damage if the pipe leaks or
gets damaged.
• Dry pipe sprinkler
• In a dry pipe sprinkler, water is not stored in the pipes.
• When there is a fire alarm, a pump is activated, and water is sent into the system.
• One of the advantages of a dry sprinkler is that it does not expose the premises to water damage
due to pipe leakage. It is less reliable than WBS.
• Halon system
• Halon gas starves the fire by removing oxygen from the air.
• It is not safe for humans and the environment.
• It is important to install an audible alarm and there should be a process to evacuate humans
before the discharge of Halon gas.
• Popular replacements for Halon gas are FM-200 and Argonite:

• Physical access control
• Bolting door locks
• These are traditional kinds of locks that require a metal key to open the gate.
• For these locks, the key should be under strict control and no one should not be allowed to duplicate the key.
• Combination door locks (cipher locks)
• In combination door locks, access is authorized through a numeric keypad or dial.
• Access numbers should be available only to authorized people.
• Access numbers should be changed on a frequent basis and should be mandatorily changed whenever an
employee with access is transferred or terminated.
• Electronic door locks
• With electronic door locks, access is granted through a magnetic or embedded chip-based plastic card key.
• These access cards are difficult to duplicate. It is very easy to deactivate the access card in case of termination
or when a card is lost.
• Biometric door locks
• Access can be granted through any of the biometric features of the user, such as voice, retina, fingerprint, and
hand geometry.
• Biometric access controls are generally used for critical and sensitive facilities.
• Deadman doors
• Deadman doors are also known as a mantrap or airlock entrance.
• In these cases, two doors are used and for the second door to open, the first door must be closed and locked.
Only one person is permitted in the gap between the first door and the second door.
• A deadman door reduces the risk of tailgating or piggybacking wherein an unauthorized person follows an
authorized person to gain unauthorized entry.

• Identity and access management
• Logical access controls are a set of tools and protocols with the objective and purpose of the following:
• Identification
• Authentication
• Authorization
• Accountability
• Access control categories
• Mandatory access control
• In mandatory access control (MAC), control rules are governed by an approved policy.
• Users or data owners cannot modify the access role.
• MAC ensures that files are shared only with authorized users as per the security classification of the file. This will
ensure that users cannot share the file with unauthorized users.
• Discretionary access control
• In discretionary access control (DAC), access control can be activated or modified by the data owner at their discretion.
• MAC is considered to be more robust and stringent in terms of information security compared to DAC.
• Role-based access control
• In RBAC, access is allowed on only a need-to-know basis.
• RBAC helps to simplify the security administration for large organizations having thousands of users and multiple
permissions.
• The components of RBAC, such as role permissions, make it convenient and simple to allow access to authorized
users.
• RBAC is considered the most effective method for implementing the segregation of duties (SoD).

• Degaussing (demagnetizing)
The right kind of data formatting is very critical to ensure that residual data from media cannot be recovered
by an unauthorized person.
• To the greatest extent possible, the media should be physically destroyed in such a way that it cannot be
reused. However, it may not always be economical to destroy the media, and hence for these cases,
extreme care should be taken for the complete deletion of the data, and the data should not be recoverable
by any tool or technique.
• One of these methods is to demagnetize the media record which is also known as Degaussing.
• Degaussing a hard drive is eliminating the magnetic field patterns.

Factors of Authentication:
• Something you know: For example, a password, PIN, or some other personal information
• Something you have: For example, a token, one-time password, or smart card
• Something you are: For example, biometric features, such as a fingerprint, iris scan, or voice recognition
• two-factor authentication means the use of two authentication methods from the preceding list. For critical
systems, it is advisable to use more than one factor of authentication for granting access.

Single sign-on (SSO)
• Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials
(for example, a name and password) to access multiple applications.
• It is important to implement strong password complexity for this kind of environment.
• One example of SSO is Kerberos. Kerberos is an authentication service used to validate services and
users in a distributed computing environment.
Advantages of SSO
• Multiple passwords not required. This encourages users to select a strong password.
• Reduces administrative overhead costs in resetting passwords due to a lower number of IT help desk calls
about passwords.
• Reduces the time taken by users to log in to multiple applications.
Disadvantages of SSO:
• SSO acts as a single authentication point for multiple applications, which constitute a risk of a single point
of failure.
• Support for all major operating system environments is difficult.

Biometrics
• Biometric verification is a process through which a person can be uniquely identified and authenticated by
verifying one or more of their biological features.
• Examples - palm, hand geometry, fingerprints, retina and iris patterns, voice, and DNA.
Biometrics – accuracy measure
• False acceptance rate
• The false acceptance rate (FAR) is the rate of acceptance of unauthorized users. For example, if biometrics
allows access to an unauthorized person, then it is referred to as a false acceptance.
• False rejection rate
• The false rejection rate (FRR) is the rate of rejection of the correct person (that is, an authorized person). In
this scenario, if the biometric controls do not allow access to an authorized person, then it is referred to as
a false rejection.
• It must be noted that both the FAR and FRR are inversely proportionate. An increase in the FAR will result
in a decrease in the FRR and vice versa.
• Cross error rate or equal error rate (CER or EER)
• The cross error rate (CER) or equal error rate (EER) is the rate at which the FAR and FRR are equal.
• A biometric system with the lowest CER or EER is the most effective system. A biometric system with the
highest CER or EER is the least effective system.
• retina scan is considered the most accurate and reliable identifier with the lowest FAR.

• Biometric sensitivity tuning
• High false rejection rate:
• This provides the most stringent access control. Here, the biometric matching criteria are set
extremely high and in a few cases, even valid users are rejected. But overall, it provides good
protection for a critical database.
• High false acceptance rate:
• Here, access control is not rigorous. Biometric matching criteria are set at a low level. Sometimes
even unauthorized users are accepted.
• Equal error rate:
• This is a moderate type of access control. Here, sensitivity is tuned in such a way that the FRR is
equal to the FAR (that is, there is neither high false rejection nor high false acceptance).
• Thus, a critical database security manager would always prefer a high FRR. That is, biometric matching
criteria that are set at a high level.

• Biometric attacks
• Replay attack: In a replay attack, an intruder attempts to use residual biometric
characteristics (for example, residual fingerprints left on a biometric device) to gain
unauthorized access.
• Brute force attack: In a brute force attack, the attacker sends numerous biometric samples
with the objective of causing a malfunction in the biometric device.
• Cryptographic attack: In a cryptographic attack, an attacker attempts to obtain information by
targeting algorithms or the encrypted information transmitted between biometric devices and
access control systems.
• Mimic attack: In a mimic attack, the attacker attempts to reproduce a fake biometric feature of
a genuine biometric user. For example, imitating the voice of an enrolled user.

• Networking devices
• An IS auditor should have a basic understanding of the following network devices.
• Repeaters
• Repeaters are used to address the risk of attenuation (weakening of the signal).
• A repeater receives the signal from one network and it amplifies and regenerates the weak signal.
• Repeaters extend the signal so that a signal can cover longer distances or be received on the other
side of an obstruction.
• Hubs and switches
• Hubs and switches are used to connect different devices for the exchange of data.
• A hub operates at layer 1 (physical layer), whereas a switch operates at layer 2 (data link layer) of OSI
model.
• A switch is regarded as a more advanced/intelligent version of the hub. A hub broadcasts the message
to all connected devices, whereas a switch sends messages only to designated devices.
A hub cannot store Media Access Control (MAC) addresses, whereas switches store MAC addresses
in a lookup table.
• Bridges
• Bridges have the same functionality as switches.
• They both operate at layer 2 (data link layer) of the OSI model.
• A bridge identifies the MAC address and directs the packet to its destination.
• It also has the ability to store the frame and can act as a storage and forward device.
• A bridge has only a few ports for connecting devices, whereas a switch has many ports for device
connection.

• Routers
• A router is regarded as a more advanced/intelligent version of the switch.
• It operates at layer 3 (network layer) of the OSI model.
• A bridge identifies the IP address and directs the packet to its destination.
• A router has the basic ability to monitor, control, and block network traffic.
• A router identifies the IP address, whereas a switch operates by identifying MAC addresses.
• Gateway
• A gateway has the capability to translate and connect different protocols and networks. It operates at layer 7
(application layer) of the OSI model.
• Network physical media
• Fiber optics
• Optical fiber is a thin and flexible piece of fiber made of glass or plastic.
• It carries binary signals as flashes of light.
• Fiber optic cables are considered to be more secure than copper wire.
• Fiber optic is the preferred choice for managing long-distance networks and handling high volumes of data.
• Fiber optic is not impacted or affected by electromagnetic interference (EMI).
• Fiber optic cables have very marginal transmission loss.

• Twisted pair (copper circuit)
• Twisted pairs are also known as copper circuits.
• Copper wires are cheaper than fiber optics.
• There are two categories of twisted pair, that is, the
shielded twisted pair (STP) or the unshielded twisted pair
(UTP).
• STPs are less prone to EMI and cross-talks and so are
more reliable than UTPs.
• A UTP is more sensitive to the effects of EMI and cross
talk.
• The parallel installation of UTPs should be avoided for long
distances since one cable can interfere with the signals of
adjacent cables (that is what is meant by cross talk).

• risks of physical network media
• Attenuation
• Attenuation is the loss or weakening of signal transmission.
• Attenuation can impact both wired and wireless transmissions.
• Distance and wire length have a direct impact on the severity of attenuation.
• EMI
• EMI is an interference or disturbance that impacts the quality of electrical signals.
• EMI is generally caused by connecting one electrical or electronic device to another, which may degrade the
performance of the circuit or even stop it from functioning.
• With respect to network data, EMI may result in the total loss of data or an increase in the error rate.
• Major causes of EMI are electrical storms or noisy electrical equipment (for example, motors, fluorescent lighting, and
radio transmitters).
• Cross talks
• Cross talk happens when the signal from one cable gets mixed up with the signal from another cable.
• This generally happens for UTPs of cables that run close to one another.

• Network protocols
• Dynamic Host Configuration Protocol (DHCP)
• DHCP is a protocol to manage the network configuration.
• A DHCP server dynamically assigns an IP address and other network configuration parameters to every device on a
network so that they can communicate with other IP networks.
• Transport Layer Security and Secure Socket Layer
• Transport Layer Security (TLS) and Secure Socket Layer (SSL) are the protocols operating at the transport layer.
• They are used for privacy and data security while communicating over the network.
• Both protocols make use of cryptographic functions to protect the confidentiality, reliability, and integrity of private
documents traveling through the internet.
• SSL is now deprecated as the same is vulnerable to attack.
• Transmission Control Protocol and User Data Protocol
• Transmission Control Protocol (TCP) and User Data Protocol (UDP) are the protocols operating at the transport layer.
• TCP is considered a reliable and connection-oriented protocol and ensures that data packets are delivered to the
destination
• TCP provides for enhanced error checking and correction.
• If a data packet is corrupted or lost during transmission, TCP resends the packet. It delivers the packet in a sequence.
• UDP is considered a connectionless protocol.
• UDP has unreliable service and data packets may arrive out of order, be corrupted, or may get dropped, and the
destination does not acknowledge every packet it receives.
• One advantage of UDP is that it allows for reduced latency as it does not perform error checking.
• Secure Shell and Telnet
• Secure Shell (SSH) and Telnet are remote terminal control protocols.
• Through these protocols, a user can connect to the terminal from a remote location.
• SSH provides authentication and secure transmission for remote connection.
• However, it must be noted that Telnet traffic is not encrypted by default. It is advisable to use SSH in place of Telnet.

• Firewall types and implementation
• Firewall:
• A firewall is a device that's used to monitor and control network traffic.
• It is generally placed in-between an enterprise's internal network and the internet to protect the system and infrastructure of
the organization.
• Types of firewalls
• Packet filtering router
• A packet-filtering router is the most simple and initial version of a firewall.
• It tracks the IP address and port number of both the destination and source and takes action (either to allow or deny
the connection) as per the defined rules.
• A packet-filtering router functions at the network layer of the OSI model.
• Stateful inspection firewall
• A stateful inspection firewall monitors and tracks the destination of each packet that is being sent from the internal
network.
• Stateful inspection firewalls only allow incoming messages that are in response to the request that went out from the
internal network.
• A stateful inspection firewall operates at the network layer of the OSI.

• Circuit-level firewall
• A circuit-level firewall operates on the concept of a bastion host and proxy server.
• It provides the same proxy for all services and operates at the session layer of the OSI.
• Application-level firewall
• An application-level firewall is regarded as the most secure type of firewall.
• It operates at the application layer of the OSI and controls applications such as FTP and HTTP.
• It also works on the concept of the bastion host/DMZ and proxy server, but it provides a separate
proxy for each service.
• Proxy
• Bastian Host/DMZ
• DMZ is an area that can be accessed by an external network. The objective of setting up a DMZ is to
prevent external traffic from having direct access to the critical systems of the organization.
• All the systems that are placed in DMZ should be hardened and all the required functionalities should
be disabled. Such systems are also referred to as bastion hosts.

• A proxy stands in between the internal and external networks.
• No direct communication will be allowed between the internal and external networks.
• All communication will pass through the proxy server.
• Demilitarized zone (DMZ) is the area which is accessible to the external network.
• Objective of setting up a DMZ is to prevent the external traffic to have direct access to critical
systems of the organization.
• All the systems placed in DMZ should be hardened and all required functionality should be
disabled – Bastian Host

Firewall Implementation:
• Dual-homed firewall
• A dual-homed firewall consists of one packet filtering router.
• It also has one bastion host with two Network Interface Cards (NICs).

• Screened host firewall:
• A screened host firewall consists of one packet filtering router.
• It also has one bastion host.

• Screened subnet firewall (demilitarized zone)
• A screened subnet firewall consists of two packet filtering routers.
• It also has one bastion host. Of the preceding firewall implementations, a screened subnet firewall
(demilitarized zone) is regarded as the most secure type of firewall implementation.

• Placing firewall
• Should be placed in a hardened server with minimal services enabled.
• To be implemented on a domain boundary to monitor and control incoming and outgoing traffic.
• Conduct penetration test periodically to ensure firewall rules are adequate.
• A firewall, by default, should reject traffic with ip source routing
• Firewall and the corresponding OSI layer
• Packet filtering – network layer
• Stateful inspection - network layer
• Circuit level – session layer
• Application level – application layer.

Virtual private networks
• A virtual private network (VPN) is used to extend a private network through the use of the internet in a
secure manner.
• It provides a platform for remote users to connect to the organization's private network.
• With the help of VPN technology, remote users and branch offices can connect the resources and
applications hosted in the private network of the organization.
• For enabling a VPN, a virtual point-to-point connection is established by way of dedicated circuits of
tunneling protocols.
• VPN technology ensures the safeguarding of critical data traveling over the internet.
• To protect the data, a VPN encrypts the packets with IP Security (IPSec) standards.
• A VPN is enabled either through IPSec tunnel mode or IPSec transport mode.
• In IPSec tunnel mode, the entire packet (including the header) is encrypted.
• IPSec transport mode, only the data portion is encrypted.

• VPNs
• Advantages of VPNs
• A VPN helps organizations to expand their corporate network in a cost-efficient way.
• A VPN provides a platform to authorized remote users in terms of a secure and effective way of
connecting to corporate networks.
• A VPN provides a platform for secure communication with business partners.
• Security risks
• The risk of malware entering the network through remote access.
• If a remote computer is compromised, an intruder may send malicious code through a VPN to enter
the organization's private network.
• The risk of poor configuration management.

• Wireless network
• A network connection not involving the use of a cable or wire is known as a wireless network. Cell phone
networks and wireless local area networks (WLANs) are examples of wireless networks.
Wireless network protection
• Enabling encryption:
• Encryption is the process of converting data into an unreadable form. The process of encryption helps
to scramble the data we send over the wireless network into a code.
• For wireless connection, WPA 2 is the strongest encryption standard.
• Enabling MAC filtering
• Each system/PC/laptop/mobile has a unique identification number, which is known as the MAC
address. This control will help us to allow access to only selected and authorized devices. Hence, the
router will restrict other unauthorized devices in terms of accessing the network.
• Disabling the SSID
• The SSID is the name of the wireless network. The SSID is also known as the network ID.
• If not disabled, this name is viewable to anyone with a wireless device within reachable distance of the
network.
• Disabling DHCP
• Dynamic Host Configuration Protocol (DHCP) is a network management tool. It automatically assigns
an IP address to each device connected to the network, which will help the devices to communicate
with other IP networks.
• If DHCP is disabled, then the IP address can be configured manually – that is, using static IP
addresses, and this helps to reduce the risk of unauthorized access.

Common attack methods
• Rogue access point
• A rogue access point is installed by a hacker on a secure network to gain unauthorized access.
• A rogue access point facilitates a wireless backdoor for unauthorized users.
• Rogue access points can bypass the network firewalls and other monitoring devices and expose a
network to attack.
• War driving
• War driving is a technique used by a hacker to search wireless networks from a moving car or vehicle
by using a laptop or other wireless device with hacking tools or software.
• The same technique is used by information security auditors to test the wireless security of an
organization.
• War walking
• War walking is a similar process to war driving, where hackers search wireless networks by walking
with their devices instead of driving.
• This is commonly done in public areas, such as malls, hotels, and city streets.
• War chalking
• War chalking is a technique of drawing a mark or symbol in a public area indicating the existence of
an open wireless network.
• These symbols are subsequently used by others to exploit weak wireless networks.

Public Key Cryptography and Other Emerging Technologies
• Cryptography is defined as the art or science of secret writing with the use of techniques such as
encryption.
• Encryption is the process of converting data into unreadable code so it cannot be accessed or read by
unauthorized people.
• This unreadable data can again be converted into readable form by process of decryption.
• Encryption can be of two types i.e. symmetric encryption and asymmetric encryption.
• Symmetric Encryption:
• Single key is used to encrypt and decrypt the messages
• Comparatively, faster computation and processing.
• Disadvantage of symmetric encryption is sharing of key with another party.
• Asymmetric Encryption
• Two keys are used. Public and Private Key. One for encryption and other for decryption.
• Message encrypted with one key can be decrypted only by the other key.
• Comparatively, slower computation and processing.

Symmetric vs Asymmetric

Encryption Keys
• Sender’s Private Key - Key is available only with the sender.
• Sender’s Public Key - Key is available in the public domain. can be accessed by anyone.
• Receiver’s Private Key - Key is available only with the receiver.
• Receiver’s Public Key - Key is available in the public domain. can be accessed by anyone.
Offers:
• Confidentiality: receiver’s public key is used to encrypt the message and receiver’s private key is used to decrypt
the message.
• Authentication & Non-repudiation: sender’s private key is used to encrypt the message and sender’s public key is
used to decrypt the message.
• Integrity:
• Sender will create a hash of the message.
• This hash is encrypted using the sender's private key.
• Message along with an encrypted hash is sent to the receiver.
• Receiver will do two things. First, he will decrypt the hash value using the sender's private key and second he will
again calculate the hash of the message received.
• Receiver will compare both the hash and if both hash values are the same, the message is considered as correct,
complete and accurate.

• The following table will help us to
understand the use of different keys
to achieve each of the preceding
objectives:

• Message Hash
• A hash value is a digital code of the message content.
• A hash value is also known as a message digest. The hash value is unique for each message.
• A slight change in message/content will produce a different hash value.
• A hash value is used to ensure the integrity of the message/content.
• A hash value is used for the creation of a digital signature.
• A hash value, when encrypted with the sender's private key, becomes a digital signature.
• A digital signature is used to determine the integrity of a message and the authentication of the sender
(that is, non-repudiation).
• Combining symmetric and asymmetric methods
• The most efficient use of Public Key Infrastructure (PKI) is to combine the best features of asymmetric
and symmetric methods.
• The challenge of asymmetric encryption is that it is an expensive and time-consuming process.
• Though symmetric encryption is comparatively much faster, it possesses the challenge of sharing the
symmetric key with other parties.
• To combine the benefits of both and address their challenges, the following process is recommended:
• For faster and inexpensive computation, encrypt the entire message with the help of a symmetric
key.
• Encrypt the symmetric key with the public key of the receiver.
• Send the encrypted message (step 1) and the encrypted symmetric key (step 2) to the receiver.
• The receiver will decrypt the symmetric key using their private key.
• The receiver will use a symmetric key to decrypt the full message.

• Public Key Infrastructure
• A public key infrastructure is a set of rules and procedures for creation, management, distribution, storage and use of digital
certificate and public key encryption.
• Digital Certificate: Digital certificate is an electronic document used to prove the ownership of a public key. Digital certificate
includes information about the key, owner of the key and digital signature of the issuer of the digital certificate.
• Certifying Authority (CA): A certification authority is an entity that issues digital certificates.
• Registration Authority (RA): A registration authority is an entity that verifies user requests for digital signatures and
recommends the certificate authority to issue it.
• Certificate Revocation list (CRL): CRL is a list of digital certificates which have been revoked and terminated by certificate
authority before their expiry date and these certificates should no longer be trusted.
• Process involved in PKI
• Step 1: Applicant applies for issuance of digital certificate to certifying Authority (CA).
• Step 2: Certifying Authority (LA) delegates the verification process to Registration Authority (RA).
• Step 3: Registration Authority (RA) verifies the correctness of information provided by the applicant.
• Step 4: If information is correct, RA recommends CA for issuance of certificate
• Step 5: Certifying Authority (LA) issues the certificate and manages the same through its life cycle.
• CA also maintains details of certificates that have been terminated or revoked before its expiry date. This list is known as
certificate revocation list (CRL).
• CA also maintains a document called as Certification Practice Statement (CPS) containing standard operating procedure
(SOP) for issuance and management of certificates.
• Private key of a certificate authority is used to issue the digital certificate to all the parties in public key infrastructure.

• Digital Signature
• Digital Signature is a process wherein a digital code is attached to an electronically transmitted document
to verify its contents and the sender's identity.
• Steps for creating digital signature
• Step 1: Create Hash (Message digest) of the message.
• Step 2: Encrypt the hash (as derived above) with the private key of the sender.
• A hash function is a mathematical algorithm which gives a unique fixed string for any given message. It
must be noted that the hash value will be unique for each message.
• Step 3: Receiver will calculate the hash value of the message
• Step 4: Then he will decrypt the digital signature using the public key of sender
• Step 5: Now, he will compare the value derived
• If both tallies, it proves the integrity of the message.
• Digital Signature ensures – integrity (message not tempered), authentication (message sent by sender),
nonrepudiation (sender cant deny sending it) but not confidentiality.

• Cloud computing
• Cloud computing is the process of utilizing the servers hosted on the internet for storing and processing
data instead of a personal computer or local server.
• Cloud computing enables the user to access computer resources through the internet from anywhere
without worrying about the physical availability of the resources.
• The following are some of the characteristics of cloud computing:
• It provides the capability for organizations to access data or applications from anywhere, anytime, and
from almost any device.
• It provides the capability for the organization to scale IT resources as per the business requirements
at the optimum cost. It provides the capability to monitor, control, and report usage of the resources.
• Deployment models
• A private cloud is used for the exclusive benefit of the organization.
• The public cloud is open to all on the basis of pay per use.
• Cloud services are used by specific communities of consumers who have shared concerns.
• The hybrid cloud is a combination of the private and the public cloud.

• Types of cloud services
• Infrastructure as a Service (IaaS):
• In this type of cloud service, services such as data storage, processing capability, memory, and network resources are
provided to the user as per their requirements.
• This helps the user to utilize computing resources without having to own or manage their own resources. The end
users or IT architects will use virtual machines (VMs) as per their requirements.
• examples of infrastructure service providers are Google Compute Engine, Amazon Web Services (AWS), OpenStack,
and so on.
• Software as a Service (SaaS):
• With the help of SaaS, an end user can access an application through the internet.
• Instead of local storage and processing, the application is hosted on a cloud managed by a third-party service provider.
• For example, users can make their own Word document in Google Docs online without having installed Office software,
or edit a photo online on pixlr.com without installing any editing software.
• Platform as a Service (PaaS):
• In PaaS, users can develop and deploy an application on a development platform made available by the service
provider.
• In the traditional method, an application or software is developed in local machines and hosted in a local server.
• For example, applications such as Google App Engine, Windows Azure compute, and so on provide tools to develop
applications.

• An IS Auditor should consider the following risks and security controls for a cloud arrangement:
• Ensure compliance with relevant laws, regulations, and standards.
• Ensure compliance with privacy laws that restrict the movement of personal data to an offshore
location.
• Ensure the availability of information systems and data on a continuous basis.
• Evaluate the business continuity and disaster recovery plan of the cloud service provider.
• Evaluate implemented controls for safeguarding the confidentiality, integrity, and availability of the
data.
• Ensure that the SLA includes clauses with respect to the ownership and custody of the data and the
security administration of cloud-related services.
• Ensure the inclusion of right to audit clauses in the SLA.

• Virtualization
• Virtualization makes it possible to run multiple operating systems simultaneously on a single
computer.. With the use of virtualization, organizations can increase the efficiency and reduce the cost
of IT operations.
• Virtual resources such as the server, desktop, Operating System, storage, and networks can be
created with the help of virtualization tools.
• Important Terms
• Hypervisor: Software or hardware used to create virtual resources
• Host: The original computer
• Guest: Virtual resources created by a hypervisor
• The following are some of the risks of virtualization:
• The improper configuration of hypervisors may allow unauthorized access to guests.
• Attackers may be able to gain unauthorized access with the help of mechanisms called guest tools.
• Poor control of access to hypervisors.
• An attack on the host may impact all the guests as well.
• Performance issues with the host may impact all the guests as well.
• The risk of data leakage between guests if there is poor control for memory release and allocation.

• Bring your own device (BYOD)
• organizations should have approved BYOD policy.
• organization cannot escape their liability even if the data is leaked through personal device of the
employees.
• Periodic awareness training for use of BYOD should be organized.
• In case corporate data is stored on personal devices, data is properly encrypted and remote data wipe
facility should have been enabled to wipe out all data in case device is lost or stolen.
• Virtualized Desktop for BYOD
• In a virtualized desktop setup, user can access their respective desktop from any remote location.
• The Internet of Things (IoT)
• IoT is a concept wherein devices have the ability to communicate and transfer data with each other
without any human interference. Alexa or google assistance
• Auditor should consider the following risks with respect to IoT:
• The impact of IoT on the health and safety of human life
• Regulatory compliance with respect to the use of IoT
• The impact of IoT on user privacy
• The impact of IoT on device vulnerabilities

• Security awareness training and programs
• Security awareness training is most important element of information security program.
• In absence of a structured and well-defined security awareness training programs, security program will not
be providing desired results. It is not possible to address the security risks only through technical security
measures.
• It is important to address behaviour aspects of the employees through continuous awareness and
education.
• Most effective way to increase the effectiveness of the training is to customize the training as per the target
audience and to address the systems and procedures applicable to that particular group.
• For new joiner, security awareness program should be part of orientation program. It must be ensured that
user has been trained on acceptable usage of information resources before any system or data access is
provided.
• Security manager should design some quantitative evaluation criteria to determine the effectiveness of
security training and user comprehension.
• Adherence to information security requirements is the best way to monitor the effectiveness of security
programs. If exceptions are minimum, then it indicates that employees are aware about the security
requirements.
• More exceptions indicate that there is lack of awareness amongst the employees and information security
programs are not effective.

Different attack methods
• Man-in-the-middle attack
• In this attack, the attacker interferes while two devices are establishing a connection. Alternately, the
attacker actively establishes a connection between two devices and pretends to each of them to be
another device.
• If In case any device asks for authentication, it sends a request to the other device, and then a
response is sent to the first device.
• Once a connection is established, the attacker can communicate and obtain information as they wish.
• Masquerading:
• In this type of attack, an intruder hides their original identity and acts as someone else.
• This is done to access a system or data that is restricted.
• IP spoofing:
• In IP spoofing, a forged IP address is used to break a firewall.
• IP spoofing can be considered the masquerading of a machine.
• Message modification
• In this type of attack, a message is captured and altered, and deleted without authorization.
• For example, a modified message to a bank to make a payment.
• Network analysis:
• In this type of attack, an intruder creates a repository of information about a particular organization's
internal network, such as internal addresses, gateways, and firewalls.

• Packet replay:
• In this type of attack, an intruder captures the data packet as data moves along a vulnerable network.
• Pharming:
• In this type of attack, the traffic of a website is redirected to a bogus website.
• This is done by exploiting a vulnerability in the DNS server.
• Pharming is a major concern for e-commerce websites and online banking websites.
• Piggybacking:
• In this type of attack, which refers to a physical security vulnerability, the intruder follows an authorized person through a
secured door to gain unauthorized access.
• Password sniffing:
• In a password sniffing attack, tools are used to listen to all the traffic in the network's TCP/IP packets and extract the
usernames and passwords. This tool is known as a password sniffer.
• These passwords are then used to gain unauthorized access to the system.
• Parameter tampering:
• The unauthorized modification of web application parameters with a malicious aim is known as parameter tampering.
• Privilege escalation:
• In a privilege escalation attack, high-level system authority is obtained by an employee through some unauthorized
methods by exploiting security flaws.
• Race condition:
• This is also known as a time of check (TOC) or time of use (TOU) attack.
• In this attack, an intruder exploits a small time window between the point in time a service is accessed and the point in
time a security control is applied.
• The longer the gap between the TOU and the time of service, the higher the chances are of race condition attacks being
successful.

• Salami:
• In this technique, a small amount of money is sliced from a computerized transaction and transferred to unauthorized
accounts.
• Social engineering:
• In a social engineering attack, an attempt is made to obtain sensitive information from users by tricking and manipulating
people.
• Social engineering is generally conducted through dialogue, interviews, inquiries, and other social methods of interaction.
• The objective of social engineering is to exploit human nature and weaknesses for obtaining critical and sensitive
information.
• By implementing adequate and effective security awareness training, the consequences of social engineering attacks
can be minimized.
• Shoulder surfing:
• In shoulder surfing attacks, an intruder or a camera captures sensitive information by looking over the shoulder of the
user entering their details, which are visible on the computer screen.
• Virus:
• A virus is a type of malicious code that can self-replicate and spread from computer to computer.
• A virus can take control of a user's computer and can delete or alter sensitive files. It can also disrupt system functioning.
• Worms:
• Worms are destructive programs that can destroy sensitive data. However, worms do not replicate like a virus.

Penetration testing
• In penetration testing, the tester uses the same techniques as used by hackers to gain access to critical
systems/data.
• Penetration testing helps to identify the risk relevant to the confidentiality, integrity, and availability of
information systems.
• The objective of penetration testing is to verify the control environment of the organization and to take
corrective action if a deficiency is noted.
• Penetration testing needs to be conducted only by a qualified and experienced professional.
• From a risk perspective, the following aspects need to be covered within the scope of penetration testing:
• Precise details of IP addresses need to be included in the scope of the audit.
• Details of the testing technique (SQL injection/DoS/DDoS/social engineering, and so on) should be
provided.
• The day and time of the attack (that is, either during office hours or after office hours) should be
included.
• Provide an appropriate warning prior to the simulation so as to avoid false alarms being raised with
law enforcement bodies.

Penetration testing
• Types of penetration tests
• External testing:
• In external testing, a penetration attack is performed on the target's network from an outside network,
that is, mostly from the internet.
• Internal testing:
• In internal testing, an attack is conducted on the target from within the perimeter.
• This is done to determine the security risk if an actual intruder happens to be within the organization.
• Blind testing:
• In blind penetration testing, the tester is not provided with any information or details about the network.
• Here, the tester is regarded as blind as they do not have any knowledge of the target environment.
• Such a test is expensive because detailed analysis, study, and research is required for an attack.
• Double-blind testing:
• Double-blind testing is the extended version of blind testing where even the administrator and other
information security staff of the target entity are not aware of the test. It simulates a real kind of attack.
• Double-blind testing helps to determine the incident handling and response capability of the target
organization.

Penetration testing
• In white box penetration testing, relevant details of the infrastructure are made available to the tester in
advance. This helps the tester to concentrate on exploitation.
• In a black box approach, no information is provided about the infrastructure to the tester and it simulates an
actual hacking attempt.
• The following are some of the risks associated with penetration testing:
• A penetration test attempt by an unqualified auditor may have an adverse impact on the target's system.
Sensitive information relating to the target environment gathered during penetration testing can be misused
by the tester.
• Inappropriate planning and timing of the attack may cause the system to fail.
• This is a simulation of a real attack and may be restricted by law or regulations.
• Such attacks without appropriate approvals may have an adverse impact.

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS)
• Intrusion detection system helps to monitor a network (network-based IDS) or a single system
(host-based IDS) with an objective to recognize and detect an intrusion activity.
• Components of IDS
• Sensors: Function of the sensors is to collect the data.
• Analyzers: Function of analyzer is to analyze the data and determine the intrusion activity.
• Administration Console: Administration console helps the administrator to control and monitor
IDS rules and functions.
• User Interface: User interface supports the user to view the results and carry out required task.
Limitation:
• IDS operates on the basis of policy definition.
• Weakness of policy definitions weakens the function of IDS.
• IDS cannot control application-level vulnerabilities.
• IDS cannot control back door into an application.
• IDS cannot analyse the data which is tunnelled into an encrypted connection.

Types of IDS
• Signature based: IDS looks for specific predefined patterns to detect intrusion.
• Also known as rule based IDS.
• Don’t detect new attacks methods for which signatures have not yet been developed.
• Statistical based IDS: attempts to identify abnormal behavior by analyzing the statistical
algorithm.
• Statistical IDS generates the most false positive as compared to other type of IDS.
• Neural Network: works on same principle as statistical based IDS. However, they have
advanced functionality of self-learning.
• If criteria is not properly tuned, IDS may generate false alarms or may miss to identify the actual
abnormality. Most effective way to determine whether IDS are properly tuned is to simulate
various attack scenarios and review the performance of the IDS.
• If IDS is installed between firewall and external network, it will be able to identify all the intrusion
attempts irrespective of whether intrusion packets bypassed the firewall or not.
• If IDS is installed between firewall and internal network, it will be able to detect only those
attempts which bypassed the firewall rules.

• Intrusion prevention systems have ability to not only detect the intrusion attempts but also to
prevent the impact of the intrusion attack.
• Honey Pots and Honey Nets
• A honey pot is a decoy system set up to attract the hacker and intruders.
• Purpose of setting a honey pot is to capture the details of intruders in order to proactively
strengthen the security controls.
• A honey net is a combination of linked honey pots. Honey net is used for large network setups.
• Domain name system (DNS) provides a simple cross-reference between domain name and
related IP address.
• In pharming attack, malware changes domain name system (DNS) server settings and redirects
users to malicious sites.

Incident Response Plan and Procedures
• A well-defined incident management process will yield far better results in reducing the business
disruptions as compared to unorganized incident management processes.
• Organization can effectively handle any unanticipated events.
• Organization will have robust detection techniques and processes for timely identification of incidents.
• Organization will have well defined criteria for defining severity of the incident and appropriate escalation
process.
• Availability of experienced and well-trained staff for effective handling of the incidents
• Organization will have well defined communication channels for timely communication with respect to
incidents to different stakeholders and external parties.
• Organization will have well defined process to analyze the root cause of incident and addressing the gaps
to prevent the reoccurrence.
Security Incident and Event Management (SIEM)
• Security Incident and Event Management (SIEM) system collects the data from various sources and
analyses the same for possible security events.
• The SIEM system has capability to detect the attacks by signature or behavior (heuristics) based analysis.
• SIEM is the most effective method to determine the aggregate risk from different sources.

Incident Response Plan and Procedures
Characteristics of effective SIEM:
• It has ability to consolidate and correlate inputs from different systems.
• It has ability to identify incidents.
• It has ability to notify staff.
• It has ability to prioritize incidents based on possible impact.
• It has ability to track the status of each incident.
• It has ability to integrate with other IT systems.

Developing IRP
• Preparation:
• Defining process to handle incidents
• Developing criteria for deciding severity of incident
• Developing a communication plan with stakeholders
• Developing process to activate incident management team.
• Identification and Triage
• Determining whether the reported incident is valid.
• Assigning the incident to a team member
• Detailed analysis of incident
• Determining severity of incident and escalate accordingly.
• Containment
• Coordination with relevant business owner
• Deciding on the course of action to limit the exposure
• Coordinate with IT team and other relevant stakeholders to implement the containment process.
• Eradication
• Determining root cause
• Addressing the root cause
• Improving the defense by implementing further controls

Developing IRP
• Recovery
• Restoring the system as defined in SDO
• Testing the system in coordination with system owner
• Lessons learnt
• Lessons learnt are documented to determine what has happened, details of the actions that were
initiated, what went wrong, what went right and areas of further improvements.
• Gap analysis is the most effective way to determine the gap between current incident
management capabilities and the desired level.

• Evidence collection and forensics
• Digital evidence can be used in legal proceedings provided it has been preserved in its original state.
• Chain of custody
• Evidence loses its integrity if the chain of custody is not maintained.
• The chain of custody refers to the process of identifying, preserving, analyzing, and presenting evidence in such
a manner that it demonstrates the reliability and integrity of the evidence.
• The following are some of the major considerations when demonstrating the chain of custody:
• Identify
• This refers to the practice of the identification of evidence. This process should not impact the evidence's
integrity.
• Evidence should not be altered or modified in any way.
• Preserve
• This refers to the process of preserving the evidence, such as the imaging of original media.
• This process should be followed in the presence of an independent third party. The process of preserving
evidence should be documented for further reference.
• Analyze
• This refers to the process of interpreting and analyzing the evidence. This process should be performed on an
image copy and not on the original evidence.
• Present
• This refers to the process of presenting the evidence to various authorities. This process should not impact the
integrity of the evidence. Evidence should not be altered or modified in any way.

• Key elements of computer forensics
• Data protection
• An incident response procedure and plan should be in place to ensure that the required information is not deleted or
altered.
• Data acquisition
• All required information should be transferred in a controlled environment.
• Write blocker devices should be used to ensure that electronic media is write-protected.
• Volatile data such as open ports, open files, user logons, and other data helps to determine the status of the system.
• This information is lost when the computer is shut down.
• Imaging
• Imaging is a process of copying data bit for bit so as to avoid inflicting damage on the original data.
• It is used to obtain residual data such as deleted files and other information.
• Imaging is helpful when multiple analyses are performed. Imaging copies the disk surface sector by sector.
• Extraction
• The extraction process involves the identification and selection of data from imaged data.
• Interrogation
• Interrogation is the process of obtaining relevant data, such as IP addresses, telephone numbers, and other details
from extracted data.
• Ingestion/normalization
• Using the normalization process, information is converted to a format that can be understood by an investigator.
• Binary or hexadecimal data is converted into readable characters or in other formats suitable for data analysis tools.
• Reporting
• Reporting involves the presentation of findings in a structured way.
• It includes details such as the objective and purpose of the review, the review process to be followed, and conclusions
arising from the review.
• Reporting should not be ambiguous and open to misinterpretation and be able to be utilized in legal proceedings.

• Protection of evidence
• An IS auditor should consider the following safeguards in order to protect evidence:
• Affected systems should not be rebooted.
• Rebooting the system could result in the loss or corruption of evidence.
• It is recommended to copy one or more images of the affected system.
• As far as is possible, analysis should be performed on an image of the evidence and not on the
original evidence. Preservation of the chain of custody to ensure integrity of the evidence.

CISA_WK_4.pptx

Recommended

Recommended

More Related Content

Similar to CISA_WK_4.pptx

Similar to CISA_WK_4.pptx (20)

More from dotco

More from dotco (10)

Recently uploaded

Recently uploaded (20)

CISA_WK_4.pptx